On March 24, 2022, the Utah Consumer Privacy Act (UCPA) was signed into law by Governor Spencer Cox. The UCPA is the latest addition to the growing patchwork of comprehensive state privacy laws in the US, joining the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (CDPA), and the Colorado Privacy Act (CPA).
The UCPA follows suit with many of the provisions found under the CCPA, CPRA, CDPA, and CPA, such as similarities in the application threshold, exemptions for employee data, and the inclusion of sensitive personal information. It is said that the similarities between the UCPA and other US state privacy laws will lessen the burden on privacy teams that need to factor compliance with the UCPA into their existing US state privacy compliance programs.
There are also several differences to note between the UCPA and laws in California, Virginia, and Colorado, and while these differences are important to understand, they do not introduce anything that falls too far from the provisions seen in existing US state privacy laws. One difference to pay close attention to is the UCPA’s definition of ‘sale’ which includes an exemption for personal data being disclosed to a third party if the disclosure is consistent with the ‘reasonable expectations’ of the consumer. The definition of sale also excludes the term ‘other monetary consideration’ – something that is seen in the CCPA, CPRA, and CPA.
The UCPA will take effect on December 31, 2023.
The UCPA applies to organizations that conduct business in the state of Utah or produce a product or service that targets consumers who are residents of the state.
Organizations will fall under the scope of the UCPA if they have annual revenues of over $25,000,000, and either:
The UCPA includes many exemptions from its provisions including employee data and other types of regulated data such as that found under the Gramm-Leach-Bliley Act (GLBA) or HIPAA. The UCPA will also not apply to non-profit organizations or higher education institutions, much like the CDPA and CPA.
The incoming privacy law in Utah will provide consumers with similar rights to those found under existing state privacy laws. There are some subtle differences in what these rights cover in certain instances, however, at a high level the UCPA provides consumers with:
One of the differences found within the UCPA’s consumer rights is a limitation to the right to erasure where consumers can only request the deletion of personal data that they have provided directly to the organization.
The UCPA’s right to opt-out of processing only covers the processing of personal data for purposes of targeted advertising and the sale of personal data. This differs from the CDPA and the CPA by excluding the opportunity for consumers to opt out of profiling.
Organizations should provide at least one method for consumers to submit rights requests and have 45 days from receipt of the request to respond to the consumer. A 45-day extension is available if necessary due to the complexity of the request.
The new privacy law in Utah outlines several requirements for covered organizations to comply with. Many of these requirements fall under familiar topics including transparency, purpose specification, data minimization, consent, and security.
One of the areas that the UCPA is unique is its requirements relating to the processing of sensitive personal information. Data controllers that process sensitive personal information do not need to obtain consent from the consumer, however, it is required that the data controller presents the consumer with the opportunity to opt-out of the processing of their sensitive personal information before the processing commences.
In relation to processing children’s data, the UCPA requires the data controller to obtain parental consent to process the personal information of a minor, in accordance with COPPA.
The UCPA will be enforced by the Utah Attorney General (AG), however, cases brought before the AG will first have to be deemed valid by the Utah Department of Commerce’s Division of Consumer Protection.
Organizations that are found to have violated the provisions of the UCPA have a 30-day cure period to rectify the areas of non-compliance concerned. Unlike the cure period found under the CPA, the UCPA’s cure period facility will not sunset at a later date.
If the organization fails to rectify the non-compliance within the 30-day cure period, the AG may recover:
Money received from enforcement actions brought forward by the AG will be deposited into a ‘Consumer Privacy Account’.
In a similar fashion to the CDPA and the CPA, the UCPA does not provide consumers with a private right of action
OneTrust offers organizations an automated platform that helps to simplify compliance with US state privacy laws, including the Utah Consumer Privacy Act. With OneTrust, your organization can utilize automated data discovery, mapping, and classification to help find, catalog, and categorize personal and sensitive personal information to ensure it is governed appropriately. OneTrust can also assist with automating the privacy rights request process, data protection assessments, and consent management.
Request a demo to see how OneTrust can help your organization on the road to compliance with the Utah Consumer Privacy Act